Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
An Information Governance Approach to
Managing Unstructured Data
Anne ShultzIllinois Institute of Technology
1
What is Unstructured Data?
Data which is not stored in a database
Electronic documents where the contents can take any shape
2
What is Information Governance?
Making decisions about what should be done with information
Promotes the idea that information is an organizational asset
(not just the responsibility of the Information Technology Dept.)
3
Where I’m coming from…
Previously employed at Toyota & GM auto-manufacturing plant
NUMMI (New United Motors Manufacturing Inc.)
Involvement in the development of NUMMI’s Information Governance Program
Came up with organization & security designs for company data
Piloted these designs using
IT Department data
Content/Record Management Systems
4
Inspiration for this project…
I learned a LOT about challenges of organizing & securing data at a large company
A particularly frustrating challenge:
Once we determined how data should be organized and secured,
Technology solutions did not allow for these controls
Technology solutions offered too much unneeded functionality
5
Unfortunately…
NUMMI closed April 1st, 2011
Information Governance Program was never completed
6
Experiences left me wondering…
Instead of starting with the technology and asking:
How can we use this technology to organize and secure our data?
What if we started with the data and asked:
How should our information be organized and secured?
7
The Goal1. Use Information Governance activities to
Understand unstructured data,
Categorize unstructured data.
2. Use information gathered to create strategies for
Organizing unstructured data,
Securing unstructured data.
8
To help tell the story…
Company X
Is beginning an Information Governance Program
Wants to organize and secure unstructured data!
Also, going through a PeopleSoft HR Upgrade
This will provide specific examples for the presentation
4 employees will help tell the story…
9
Meet our Company X employees!Name Responsibility
Harriet Human Resources
•HR Specialist
•PeopleSoft HR Upgrade - Business Lead
Ralph Requisition
•Purchasing Specialist
•PeopleSoft HR Upgrade - handles purchasing for the project
Tammy Technology
•IT Manager
•PeopleSoft HR Upgrade - Project Manager
Carl Computer
•IT Contractor
•PeopleSoft HR Upgrade - Developer10
Information Governance Activities Used:
Information Assessment
Gathering & understanding all information existing in the organization
Records Retention
Categorizing information and determining how long documents in each category should be kept
Information Classification
Identifying which information is sensitive and creating labels and handling rules for each level of sensitivity
11
Gathering & understanding all information existing in the organization.
12
Why Information Assessment? Required to set direction and scope
Necessary for developing an effective information governance program.
You can’t govern something you don’t understand
13
In other words…“There is so much information!
We don’t even know where to start!
How the heck are we supposed to organize and secure it if we don’t even know what we have??”
Harriet Human Resources
Carl Computer Tammy Technology Ralph Requisition14
Many different approaches… Technology Approach
Data Classification tools, Profiling tools, Filesharecrawlers
Interview Approach
Interview business owners to determine which information is important
Process Flow Information Discovery
Use process flow diagrams to identify information for each business process
(developed by Marika Taylor @ NUMMI)
15
Many different approaches… Technology Approach
Data Classification tools, Profiling tools, Filesharecrawlers
Interview Approach
Interview business owners to determine which information is important
Process Flow Information Discovery
Use process flow diagrams to identify information for each business process
(developed by Marika Taylor @ NUMMI)
Carl Computer runs a tool
“So, Tammy Technology… what information is important to IT?”
Each key subject matter expert does a process flow chart of their processes to identify documents used
16
Process Flow Information Discovery
1. Identify department business functions
Completed by Department Management
2. Identify supporting business processes
Completed by Department Management
3. Diagram process flows
Completed by Key Subject Matter Experts
17
Process Flow Information Discovery
Example…
IT DepartmentBusiness Functions:
• Business Planning
• Operations Maintenance
• System Development
Tammy Technology:
“These are all the functions of IT!”
18
Process Flow Information Discovery
Example…
IT DepartmentBusiness Functions:
• Business Planning
• Operations Maintenance
• System Development
Tammy Technology:
“Business Planning is anything related to
the administration or budgeting”
19
Process Flow Information Discovery
Example…
IT DepartmentBusiness Functions:
• Business Planning
• Operations Maintenance
• System Development
Tammy Technology:
“System Development Is anything related to the development of
systems (like documents created
as part of a system upgrade)”
Carl Computer:
“Like PeopleSoft HR Upgrade documents!”
20
Process Flow Information Discovery
Example…
IT DepartmentBusiness Functions:
• Business Planning
• Operations Maintenance
• System Development
Tammy Technology:
“Operations Maintenance is
anything related to regular system upkeep & use.”
Carl Computer:
“Awesome!”21
Process Flow Information Discovery
Example…
IT DepartmentBusiness Functions:
• Business Planning
• Operations Maintenance
• System Development
Operations Maintenance Business Processes:
Incident & problem management processes
System maintenance processes
Service request management processes
System security & compliance management processes
22
Process Flow Information Discovery
Example…
IT DepartmentBusiness Functions:
• Business Planning
• Operations Maintenance
• System Development
Operations Maintenance Business Processes:
Incident & problem management processes
System maintenance processes
Service request management processes
System security & compliance management processes
Carl Computer:
“Like the annual audit
process!”23
24
How is Information Assessment Applied to Unstructured Data?
Process Flow Information Discovery Chart method is useful for 2 reasons:
Enables understanding of key information, required for business
Department business functions & processes can be used as an organizational structure for unstructured data
25
Categorizing information and determining how long documents in each category should be kept.
26
In other words…
“Ok, now we know what we have…
When is it ok to get rid of it?”
Harriet Human Resources
Carl Computer Tammy Technology Ralph Requisition27
Why Records Retention? Why not keep everything?
Risk of a “smoking gun”
Inefficient – wading through old information is unproductive.
What could happen if information is disposed too soon?
Litigation risk (example: Arthur Anderson Trial)
Impact to ongoing operations
28
Solution:
Develop a Records Retention Schedule
“a document that an organization uses to ensure that records are kept only as long as legally and operationally required, and that obsolete records are disposed of in a systematic and controlled manner.”
(Iron Mountain, n.d.)
29
But wait! …What is a Record?
“a file that gives an evidential account of either a whole incident or part of an incident that occurred in the past.
The record provides the factual information concerning that incident”
(Adam, 2008)
30
Example:
The signed business case is a record of this event
Contains evidence that the company approved this project
Tammy Technology:
“Woohoo! The project spending committee signed
off on the PeopleSoft HR Upgrade business case!”
31
Records Retention Schedule1. Identify “Records” vs. “Working Copies”
2. Develop taxonomy:
Record Function
Record Class
Information Type (and ID #)
3. Determine retention (Event + Time format)
1. Legal Requirements
2. Operational Requirements
4. Determine owning departments
Example: Drafts of a record
that never become final
32
33
Tammy Technology:
“Technical records from the PeopleSoft HR Upgrade would fall into this category.
These are owned by IT and should be kept for the life of the system.”
34
Ralph Requisition:
“The signed charter for the PeopleSoft HR Upgrade would fall into this category since it has to do
with company spending.
These records are owned by Purchasing.”
35
Harriet Human Resources:
“HR owns a lot of records that need to be kept for legal reasons.
For example, OSHA requires us to keep medical records for 30 years after an employee is terminated.”
36
How is Record Retention Applied to Unstructured Data?
Record Retention Schedule is useful for several reasons:
Enables understanding of Records vs. Working Copies
“Information Type,” & “Owning Department” can be used as metadata for unstructured data
Provides rules on when unstructured data must be disposed
Taxonomy can be used as an organization structure for unstructured data Records
37
Identifying which information is sensitive and creating labels and handling rules for each level of sensitivity.
38
Why Information Classification?
Prioritize data security according to risk!
Information classifications define how data should be handled and protected at each risk level
39
Example:
Tammy Technology:
“This shopping list for the PeopleSoft HR Upgrade Party
probably won’t hurt the company.
I don’t need to worry too much about protecting it.”
Carl Computer:
“This list of PeopleSoft HR admin passwords could really hurt the
company if it fell into the wrong hands!
I should make sure I really protect it!”
40
Information Classification Levels
“Public – Information, that if disclosed outside the company, would not harm the organization, its employees, customers, or business partners
Internal Use Only—Information that is not sensitive to disclosure within the organization, but could harm the company if disclosed externally.
Company Confidential—Sensitive information that requires ‘need to know’ before access is given.” (Appleyard, 2007)
41
Use information gathered to create strategies for
• Organizing unstructured data
• Securing unstructured data
42
In other words…“Now we know what we should be doing with our
data…
Now how do we make sure we actually are doing it with unstructured data?”
Harriet Human Resources
Carl Computer Tammy Technology Ralph Requisition43
Unstructured data organization & security strategy
Each step uses products of the Information Governance Activities
44
Step 1 - Determine Information Access Requirements
Should be completed by each department individually
Can be done using Classification Levels with an Access Requirement Matrix
45
Access Requirement Matrix Determining stable access requirements is difficult!
Frequent employee turn-over
Collaboration between departments and organizations
Access Requirement Matrix
used to identify access needs for Information Types
can be completed by asking 2 main questions:
What information needs to be accessed by who?
For how long?
46
Example (IT Department Matrix)
47
011 System Maintenance Documents
System Maintenance Documents are documents required for the regular
upkeep & use of systems (like the PeopleSoft HR system)
Example (IT Department Matrix)
48
011 System Maintenance Documents
Example (IT Department Matrix)
Example: Notes or procedures for troubleshooting
PeopleSoft HR system issues.
49
Putting this information type here
on the diagram…
means that these people can see it.
Example (IT Department Matrix)
50
This includes…
Example (IT Department Matrix)
51
011 System Maintenance Documents
There might also be PeopleSoft HR System
Maintenance Documents that people
in HR need to see.
Example (IT Department Matrix)
52
011 System Maintenance Documents
Example: Notes or procedures for
how access to the PeopleSoft HR system
should be set up.
Example (IT Department Matrix)
53
These would be placed here.
Example (IT Department Matrix)
54
This way, these
people can see them.
Example (IT Department Matrix)
55
Example (Completed IT Matrix)
56
Classification Levels Overlaid to ensure access aligns with company policy
Example:
57
58
IT Matrix with Classifications Overlaid
59
60
Temporary Access Requirements Example: Temporary project work
Access should be set up by the project manager with a due date
Due dates must be respected!
When the project is done, access must be removed.
61
Example:
Yay!Yay!Yay!
Tammy Technology:
As the project manager, I will make sure you all have access to
the PeopleSoft HR Upgrade folder!
62
Example:
Yay!Yay!
Tammy Technology:
But after the project, access to this folder will be
removed and records will be stored in the correct locations.
Aw, man!
63
Step 2 - Determine Functional Requirements
Outline functional differences between
Working copies
Records
Ensures information is managed appropriately at each stage of the information lifecycle
64
Document
Creation &
Collaboration Retain
Records
Dispose
Working Copies
Dispose
Records
Event + Time…
Information Lifecycle
65
Functional Requirements
Working Copies Records
Must be shared May be shared
Must be modified MUST NOT BE MODIFIED!!!
Must be frequently accessed May be accessed occasionally
Should be stored for easy access as work is being completed
Should be stored for easy disposal when retention is up
Can be disposed when no longer needed
Must not be disposed until Retention period ends!
66
Step 3 - Determine Functional Organization Design
How should data be organized?
Working Copies?
Records?
67
Functional Organization Design
Working CopiesMust be shared
Must be modified
Can be disposed when no longer needed
Must be frequently accessed
Should be stored for easy access as work is being completed
Could be organized according to Department Business Function
IT DepartmentBusiness Functions:
• Business Planning
• Operations Maintenance
• System Development
Example:
68
RecordsMay be shared
MUST NOT BE MODIFIED!!!
Must not be disposed until Retention period ends!
May be accessed occasionally
Should be stored for easy disposal when retention is up
Functional Organization DesignCould be organized according to Record Retention Schedule, by Information Type
Example:
69
Step 4 - Determine Functional Access Design
How should access be set up?
For Records?
For Working Copies?
70
Working CopiesMust be shared
Must be modified
Can be disposed when no longer needed
Must be frequently accessed
Should be stored for easy access as work is being completed
Functional Access Design
Access should be set up using…
Access Requirement Matrix & Classification Levels
Temporary Access Set-up (for projects, etc)
71
Records
May be shared
MUST NOT BE MODIFIED!!!
Must not be disposed until Retention period ends!
May be accessed occasionally
Should be stored for easy disposal when retention is up
Functional Access DesignIn addition to basic Access Requirements:
Must be read-only once they become Records
Only owning department should add records to record folders
Only appointed Subject Matter Expert should dispose records for the owning department
72
Step 5 - Determine Metadata
Should be consistent across all information
Basic metadata
Metadata to describe how the data should be handled (functional)
73
Metadata
BASICFUNCTIONAL
(handler instructions)
Creator Rights
Title Information Classification
File Type Information Type
Date Created Owning Department
Date Modified Is this a Record?
Modified ByHas the Retention Event Occurred?
74
Metadata
BASICFUNCTIONAL
(handler instructions)
Creator Rights
Title Information Classification
File Type Information Type
Date Created Owning Department
Date Modified Is this a Record?
Modified ByHas the Retention Event Occurred?
PROBLEM!
Too much metadata =
Too many steps to save a document!
75
Metadata
BASICFUNCTIONAL
(handler instructions)
Creator Rights
Title Information Classification
File Type Information Type
Date Created Owning Department
Date Modified Is this a Record?
Modified ByHas the Retention Event Occurred?
PROBLEM!
Solution: Automation
76
Opportunities for Automation
Metadata
Proposed Automation Requirements
Assign MethodSystem Data
Used to AssignAction Triggered
Creator Automateddetermined by user's system username
None
Title Manual N/A None
File Type Automateddetermined by application used to create document
None
Date Created Automateddetermined by system time & date information
None
77
Opportunities for Automation
Metadata
Proposed Automation Requirements
Assign MethodSystem Data
Used to AssignAction Triggered
Date Modified
Automateddetermined by system time & date information
When entered, this should trigger:a. Logging by the system for future retrieval
Modified By Automateddetermined by user's system username
When entered, this should trigger:a. Logging by the system for future retrieval
78
Opportunities for Automation
Metadata
Proposed Automation Requirements
Assign Method
System Data Used to Assign
Action Triggered
Rights AutomatedAccess rights assigned to the folder
If not aligned with Classification Levels:
- Error Message
Information Classification Level
Manual - drop down list of Information Classificaitonlevels
N/AIf not aligned with Rights:
- Error Message
79
Opportunities for Automation
Metadata
Proposed Automation Requirements
Assign Method
System Data Used to Assign
Action Triggered
Rights AutomatedAccess rights assigned to the folder
If not aligned with Classification Levels:
- Error Message
Information Classification Level
Manual - drop down list of Information Classificaitonlevels
N/AIf not aligned with Rights:
- Error Message
80
Example:
If Carl Computer tries to save a “Confidential “ document in an “Internal Use Only/Public” folder…
Opportunities for Automation
Metadata
Proposed Automation Requirements
Assign Method
System Data Used to Assign
Action Triggered
Rights AutomatedAccess rights assigned to the folder
If not aligned with Classification Levels:
- Error Message
Information Classification Level
Manual - drop down list of Information Classificaitonlevels
N/AIf not aligned with Rights:
- Error Message
81
Error Message:
Rights for this folder:
- Contractors & above
- All Departments
Classification Levels allowed in this folder:
- Internal Use Only
- Public
Documents with any other classification level must be must be saved in a more secure folder.
Opportunities for Automation
Metadata
Proposed Automation Requirements
Assign MethodSystem Data
Used to AssignAction Triggered
Information Type
Manual - drop down list of Information Types, based on user’s access
user's access(user profile information)
When Information Type selected, this should trigger:
- assign “Owning Department”(of Information Type)
Owning Department
Automateddetermined by Information Type
None
82
User is a contractor in IT
IT contractors can see these Information Types
(these will be available in the drop-down menu)
Example…
83
Opportunities for Automation
Metadata
Proposed Automation Requirements
Assign MethodSystem Data
Used to AssignAction Triggered
Information Type
Manual - drop down list of Information Types, based on user’s access
user's access(user profile information)
When Information Type selected, this should trigger:
- assign “Owning Department”(of Information Type)
Owning Department
Automateddetermined by Information Type
None
84
If the IT contractor selects
“009 Business Cases, Vendor Bids, Proposals, Quotes,”
Owning Department populated will be
“Purchasing”
since Purchasing owns this Information Type.
Example…
85
Metadata
Proposed Automation Requirements
Assign MethodSystem Data
Used to Assign
Action Triggered
Record Manual - check box N/A
If {User Department
<does not equal>
Info Type Owning Department}
Then {Error Message}
Else {Send to Electronic Records Vault\Information Type Folder}
Event Occurred
Manual - check box NOTE - Event Occurred should be able to be selected for an entire folder at once
N/A Start retention period
Opportunities for Automation
86
Metadata
Proposed Automation Requirements
Assign MethodSystem Data
Used to Assign
Action Triggered
Record Manual - check box N/A
If {User Department
<does not equal>
Info Type Owning Department}
Then {Error Message}
Else {Send to Electronic Records Vault\Information Type Folder}
Event Occurred
Manual - check box NOTE - Event Occurred should be able to be selected for an entire folder at once
N/A Start retention period
Opportunities for Automation
Example Error Message:
This document has the following information type:
[009 Business Cases, Vendor Bids, Proposals, Quotes]
This information type is owned by Purchasing.
Only members of the Purchasing Department can upload records with this information type.
87
Metadata
Proposed Automation Requirements
Assign MethodSystem Data
Used to Assign
Action Triggered
Record Manual - check box N/A
If {User Department
<does not equal>
Info Type Owning Department}
Then {Error Message}
Else {Send to Electronic Records Vault\Information Type Folder}
Event Occurred
Manual - check box NOTE - Event Occurred should be able to be selected for an entire folder at once
N/A Start retention period
Opportunities for Automation
Else…Send file to the correct folder in the
Electronic Records Vault
88
Opportunities for Automation
Metadata
Proposed Automation Requirements
Assign MethodSystem Data
Used to Assign
Action Triggered
Record Manual - check box N/A
If {User Department
<does not equal>
Info Type Owning Department}
Then {Error Message}
Else {Send to Electronic Records Vault\Information Type Folder}
Event Occurred
Manual - check box NOTE - Event Occurred should be able to be selected for an entire folder at once
N/A Start retention period
89
Benefits of using this approach
Unstructured data required for business is identified
Organizational structures are developed
Working Copies: by business function & process
Records: by Record Retention Schedule categories
Security requirements are established.
Metadata are established
Basic & Functional90
Next Step…
Identify and evaluate content management systems that can satisfy these requirements
91
Perspectives…
This is a lot of work! However….
This example was based on a large company implementation
It could be scaled down to fit a small company
The scope would be determined by the Information Assessment
A smaller company would have less information to deal with
92
“Questions?”
Harriet Human Resources
Carl Computer Tammy Technology Ralph Requisition93